data management applying data analytics to a continuous auditing / continuous controls monitoring...

Data ManagementApplying Data Analytics to a Continuous Auditing / Continuous Controls Monitoring Solutions

Parm Lalli, CISA, ACDA

© 2009 Sunera LLC. All rights reserved.

2

Sunera Snapshot

Professional consultancy focused on regulatory compliance, internal audit, information security & technology services

Founded by former public accounting partners and professionals

Delivered more than 900 projects for 200 clients across a broad spectrum of industries

Employ 120 full-time professionals in Twelve offices across the United States and Canada

PCI certified security assessor

Registered with NASBA to offer CPE’s for our Internal Audit training courses

Certified integration partner for leading continuous controls monitoring solutions, including ACL, Approva, Lumigent, and SAP.

3© 2009 Sunera LLC. All rights reserved.

Sunera’s Data Management Practice Leaders

Parm Lalli is an ACL Certified Data Analysts (ACDA) and is the Canadian National Director for our Data Management Group. Parm has over 10 years of Data Analytics experience leading many Continuous Controls Monitoring implementations for organizations within many different industries. Parm has worked very closely traditionally with ACL and ACL products. Prior to joining Sunera, Parm was employed with ACL and worked with Audit departments, Business Unit Managers, and end users to address their Data Analytics needs using ACL. He worked on developing scripts across many different industries and applications. Parm has on a continual basis advised on the different strategies to overcome challenges on a successful Data Analytics implementation.

Peter Armstrong is also an ACL Certified Data Analyst (ACDA) and is one of the founding members of Sunera. While with Sunera, Peter has worked with many of our clients in implementing data analytics and continuous controls solutions. In addition, Peter has led many training sessions for ACL. Prior to forming Sunera, Peter was a Partner with KPMG and led risk-based services initially in Calgary and subsequently in the North Florida region. He has over 25 years of work experience with Sunera and KPMG in locations within Canada, New Zealand and the US. Peter is a Chartered Accountant (CA) and a Certified Information Systems Auditor (CISA).

Peter started working with ACL in 1991 and has worked with every version of ACL. In 1994, he held the first “advanced” ACL training course in North America which was attended by Internal audit professionals from across the US and Canada. Recently, he has taught version 8 and 9 to the Internal Audit departments of Wellcare, OSI, Burger King, RCCL, NCL, PNG, and the Cities of Tampa and St Pete.


What is Continuous Controls Monitoring

Continuous Controls Monitoring (CCM) is the term used to describe techniques of continuously monitoring and auditing an IT system. Typically CCM solutions will be applied to Enterprise Resource Planning systems. A Continuous Controls Monitoring solution can help to reduce compliance costs (through decreased manual controls and manual testing of those controls), strengthen a company's internal control environment and reduce the risk of unintentional or intentional errors and fraud.

The key objective of CCM is:

– To enable near real-time and regular monitoring of control effectiveness.

By monitoring the compliance with key controls, your organization can obtain ongoing assurance on the accuracy and validity of large volumes of data flowing through your systems, enabling the isolation and containment of control failures on a timely basis.


Common CCM Tools

A number of tools are available. The right choice will depend on the each companies business requirements, including considerations such as how well the proposed tool will integrate with existing systems and tools

– ACL

– SAP or Oracle GRC

– Approva

– Oversight

– Actuate BIRT

– Actuate e.Reports

– Cognos 8 BI Report Studio

– Crystal Reports

– InformationBuilders WebFOCUS

– JasperServer/iReport

– Microsoft SQL Server Reporting Services

– MicroStrategy Report Services

– SAS Web Report StudioGartner February 2009: Critical Capabilities for Business Intelligence Reporting


Types of Data Analytics?

Ad hoc Analysis

Time consuming

Data typically supplied by IT

Up to 50% more budgeted time required

Difficult to repeat tests if not documented

Exploratory type analysis

Repeatable Analysis

More skilled required than Ad Hoc testing

Pre-defined scripts created to perform same tests over and over again

More consistent and can be run more frequently

Data may be supplied by IT but imports are automated

Good documentation for the scripts / analytics



Centralized Analysis

Development, storing, and running of repeatable analytics is centralized

A single, powerful server is setup for the repeatable analytics

Data Imports are all automated

Standards in place for developing tests and scripting

Source data and results are stored on server

Better security for data files and result files

Great deal of documentation on tests, scripts, data, and sample logic

Continuous Auditing

Process of performing audit related tasks in a continuous manner

Continuous risk and control assessments types of testing

Compliance (SOX) control testing

Security event monitoring



Continuous Controls Monitoring (CCM)

Very skilled and experienced individuals are able to script and implement

All analytics and data imports are fully automated

No interaction from end users required

Allows for notification to be sent to Business Unit Manager about exceptions identified

May involve a web dashboard interface, workflow, remediation tracking, and heat maps

Better role based security for reviewing results

May provide Management with areas for improvement with Internal Controls

A better likelihood of identifying fraudulent activity

Acts as a very good deterrent system


Benefits of Data Analytics

Access data from many disparate sources

Independent of the systems and people being audited

100% transaction coverage with unlimited file sizes

Read-only data access to ensure the integrity of the data

Audit Trails are available to identify steps taken

Scripting/batching capabilities to capture test logic (like macros)

Very fast to run and produce results

Easier to comply with the provisions of Section 404 of the Sarbanes-Oxley Act

Close control loopholes before fraud escalates

Quantifies the impact of fraud

Cost-effective

Acts as a deterrent

Can be automated for continuous monitoring

Provides focus based on risk and probability of fraud

Direct pointers to critical evidence

Support for regulatory compliance

Logs for review and evidence

Scalability – Build on what you need

External Audit reliance


Data Analytics Automation Benefits

Validate effectiveness of internal controls

Identify occurrences of potential fraud

Identify transactional errors

Identify segregation of duties violations

Identify process deficiencies

Technology driven process

Tests 100% of transactions as opposed to sampling

Access data across disparate systems and geographies

Provide prompt notification of control breakdowns

Quantified exposure of business risk

Provides an auditable history of compliance tests and follow-up activities

Enables better allocation of skilled Audit/Technical resources within the organization


What are the Challenges?

IMPLEMENTING CHANGE!!!!

Change in culture for the organization

Defining what CCM can accomplish

Large volumes of data in multiple applications

Understanding data and processes

Monitoring of manual controls

Current reliance on reporting

Cost to implement

Ability to integrate with multiple compliance frameworks and into the existing IT environments

HOW DO YOU MAXIMIZE YOUR INVESTMENT IN CCM????


Where to Apply Data Analytics

What controls are eligible for automated testing?

Electronic data is available and accessible

Access to data through an automated process is possible

Rules can be documented or captured within test logic

Internal controls and Compliance controls

What are the ideal conditions for automated testing?

Large number of controls are in place

Large volumes of data

Multiple systems and data sources

Data at multiple locations

Capture fraudulent activities prior to a transaction reaching the end of a process


Data Analytics Steps for Mature Rollout

Steps for Implementing Continuous Controls Monitoring / Auditing

1. Vendor selection and product evaluation

2. Assess controls

3. Scope and design system requirements

4. Data warehouse implementation

5. Data access requirements definition

6. Analytics script development

7. Results verification and review

8. Adjusting logic, parameters, and thresholds

9. Rollout


Data Analytics Project Team

Project Team Skills

– Project Manager – Organize and manage all resources to complete the implementation project within the defined scope, time, and cost

– Business – Key owners of each business process to be monitored

– Audit – Process and control experts to identify areas of risk and test design

– IT – Key owners of the data and primary systems related to each of the processes

– Technical – Specialized experts to build, configure, and implement the monitoring tools


Data Analytics – Sunera Approach

Step 1

– Review existing business process risk documentation

– Review existing analytics for efficiency and effectiveness

– Updates existing analytics for full automation

Step 2

– Conduct additional reviews of business processes and identify risk areas

– Identify opportunities for improving process through Data Analytics

– Identify analytics opportunities within specific business processes

– Identify and verify all compensating controls



Step 3

– Add Risk Rating for identified analytics across business units

• High, Medium, Low

– Quantify risk areas based on business units ($$)

– Obtain Management agreement on ratings and quantitative measures

Step 4

– Create “Requirements Documentation”

• Data Requirements from all available sources

• Confirm test logic

• Confirm required parameters

• Confirm reporting fields

– Obtain agreement and sign off on Requirements document



Step 5

– Obtain sample data from all required sources

• Directly or Data dump

– Verify data based on Requirements document

• All fields present

• No corruption of data

– Perform Data Preparation

Step 6

– Create scripts for tests

– Create excel result sets

– Have end user and / or Business Unit Manager verify results

– Tweak any tests to remove false positives



Step 7

– Create scheduling for all tests

• Daily, weekly, monthly, quarterly

– Move all pieces into production environment

– Verify data connections / feeds

Step 8

– Create documentation for handoff

– Provide training to CCM stakeholders


A Mature Data Analytics Overview

Self contained on dedicated server

Fully automated and scheduled

Alerts to Business Unit Managers or stakeholders of results

Clear and concise documentation

– For all scripted analytics

– For setup and configuration

Training provided to any and all individuals involved; including new hires

Ongoing review of existing analytics and possible new analytics based on new business processes

Maintain a Change log for any addition or removal of scripts or changes to configuration


Data Analytics – Non-Industry Specific

Accounts payable Phantom vendors

Vendor / Employee collusion

Purchasing Purchase splitting

Purchases without Requisitions

Purchase cards Inappropriate, unauthorized

purchases

Travel & Entertainment Expenses Duplicate claims, inappropriate

activity

Payroll Phantom employees

Unauthorized overtime



Accounts Payable

Questionable invoices

Invoices without a valid P.O.

Sequential invoices

Over-billing

Quantity shipped less than quantity ordered

Pricing outside norm for product category

Item shipped of lower value than item ordered

Duplicate invoices

Multiple invoices for same item description

Invoices for same amount on the same date

Multiple invoices for same P.O. and date



Purchasing

Questionable purchases

P.O./invoices with amount paid > amount received

Purchases of consumer items

Split purchases

Similar transactions for same vendor within specific timeframe

Inflated prices

Compare prices to standard price lists or to historical prices

Phantom vendors

Vendor/employee comparison

Vendor has mail drop as sole address



Purchase Cards

Split purchases to avoid purchasing card limits

Purchases processed as two or more separate transactions

Identified by isolating purchases from specific vendors within short periods of time

Favored vendors for kickbacks

Trend analysis to compare current transaction volumes to previous time period

Suspicious purchases

Transactions that occur on weekends, holidays, or vacations

Travel related charges not on travel expenditure reports



Time and Expense

Duplicate claims

Submitting claims twice

Tracking “no receipt” claims

Isolate expenses without receipts and identify underlying trends through profiling techniques

Threshold reviews

Track personnel exceeding thresholds

Inappropriate activity

Compare expenses to travel records to ensure expenses claimed for valid trips

Trends by employee compared to peers


Data Analytics Sample Logic

Duplicates

• Exact Duplicate – All fields identical within investigation period

• Almost Duplicate Variance, Same-Different Duplicates

» Purchase Order: Same Vendor and Similar Amount

» Payments: Different Vendor Same Bank Account

» Payments: Same Vendor Different Invoice Number Similar Amount

» Payments: Same Vendor Same Invoice, Same Amount, Different Date

» Payments: Same Vendor Name, Same Amount, Same Date, Different Vendor ID



Authorization Limits

• Single and multiple accumulated values exceeding limits

• Transaction amounts that exceed or are just below the authorization limit

» Requisitions, Purchase Orders, Invoices, Payments

• Accumulated transaction amounts that exceed the authorization limit

» Split Requisitions, Split Purchase Orders, Split Invoices, Split Payments

Aging

• Single Record Age

» Days difference between Create Date and Approval Date

» Stale Requisitions, Stale Purchase Orders, Stale Invoices

• Multiple Files Aging

» Retroactive PO vs. Invoice (Invoice Create Date prior to PO Create Date)



Data Quality

• Identifying fields where critical data elements deviate from expected values and formats.

» Invalid ID formats, missing key values, invalid characters, invalid values

» Requisitions, Purchase Orders, Invoices, Received Goods, Payments

Matching (Join) - Amounts over variance thresholds

• PO Line Item vs. Invoice Line Item

• PO Line Item Quantity vs. Goods Received Quantity

• Accumulated Invoice Line Items vs. Payment

• Accumulated Invoices vs. Bulk Payment

Unmatched (Join) – Orphaned records or missing records

• Unauthorized Users: Requisitions, Purchaser



Example Analytic Logic

– SOD Security Table Level

• Comparing roles within ERP security tables to a conflict matrix

– SOD at Transaction Level

• Single Record Create/Modify vs. Approve

» Requisitions, Purchase Orders, Invoices, Payments

• Multiple files

» Create/Modify PO vs. Create/Modify/Approve Vendor Master Update

» Create/Modify PO vs. Receiver ID for Goods Received

» Create/Modify PO vs. Create/Modify Invoice



Numeric Pattern Matching

• Benford digital analysis: Exceptions which reveal themselves as digital anomalies.

» Higher than expected PO amount of $49,000, bypassing controls on amounts over $50,000.

• Numeric Sequence or Gaps: Exceptions which reveal themselves in a numeric sequence or gap.

» Invoice Number Sequences (suspect invoices)

• Transactions with even dollar amounts based on a divisor number, minimum transaction count, and threshold value.

» Expense Report Amounts with even dollar values



Date Pattern Matching

• Suspect transaction dates occurred on a weekend or holiday

» Expense Report transactions on weekends or holiday

• Period close dates

» Journal Entries where the current entry date is within a specified number of days prior/after the period close

Variance Tests

• Count and amount variance as compared to a yearly average.

» Invoice vendor product price variance

» Excessive vendor invoice counts


Data Analytics Sample Logic String Pattern Matching

• Name Match (% word match)

» Word exclusion lists to remove common words like: The, company, and, etc.

» Invoice: Employee Vendor Name Match – (Phantom Vendor)

» Invoice: Prohibited Vendors

• Address Match (Numeric or Alpha Numeric match)

» Match on zip/postal code plus numeric digits from address field.

» Match on alpha-numeric values from the Address field (no spaces or special characters)

» Invoice: Employee Vendor Address Match – (Phantom Vendor)

• Soundslike Match (phonetic match)

» SOUNDEX algorithm

» SOUNDSLIKE algorithm

» Payroll: Similar Employee Names

» T&E: Different expense cards assigned to employees with similar names


Data Analytics Rollout Options Insource

Internal resources plan and deploy all CCM initiatives

Outsource

Sunera resources (or other provider) perform all the activities required for CCM rollout

Provide documentation and training to client staff for maintenance of the program

Co-source

Sunera (or other provider) provides the knowledge and expertise and work with client staff

Share the work of developing and creating tests

Provide guidance

Perform reviews of client work conducted and provide feedback / insight

Conduct coaching sessions

Provide ongoing support and advice


Data Management Consulting Services

Sunera can work with your organization on a time & materials basis to assist with any of the following activities:

Forensic investigations

Cost recovery

Compliance audits

Establishment of a continuous monitoring program

Specific procedures that Sunera can assist with would include the following:

Identification and development of Data Analytics audit programs/procedures

Obtaining access to data tables (i.e. establishment of ODBC connections or data requests for IT)

Script development (basic to complex)

Interpretation of data analysis/results

Confirmation of exception results (i.e. identify any false positives and remove)

Management reporting

Establishment of continuous monitoring procedures/scripts


Data Analytics Training Option

Sunera Training Offers:

2 or 3 day training classes

Training is hands on and classes are tailored to meets your participants skill level (beginner, intermediate, advanced).

We customize the training by integrating your company data into the seminar so your employees get to work with realistic company scenarios.

Sunera is registered with the National Association of State Boards of Accountancy (NASB) as a sponsor of continuing professional education on the National Registry of CPE sponsors and offers CPE credits to those who attend and completed the training.

Training is provided by a Sunera Director or Principal Level associate with multiple years and project experience using ACL.

We are planning on offering a training course in Calgary in October pending sufficient interest.

Training (classroom instruction)can be provided to organizations directly.


Contact Information

For additional information on Sunera’s services visit our website at http://www.sunera.com or contact:

Parm LalliDirector(778) [email protected]

data management applying data analytics to a continuous auditing / continuous controls monitoring...

Documents

continuous controls

version of acl

leading continuous controls

acl products

sunera llc

data analytics needs

data management group

internal audit professionals